Only the latest release on npm receives security fixes.

Please do not open a public GitHub Issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to report a security issue confidentially. If you're unsure whether something qualifies as a security issue, err on the side of reporting privately.

Include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a minimal proof-of-concept
• The affected version(s)

You can expect an acknowledgement within a few days and a fix or mitigation plan within a reasonable timeframe depending on severity.